In an update to the ongoing incidents surrounding the MySejahtera app, it has been found that some users are not just receiving unsolicited OTP request messages, but emails as well.
Not just texts, but emails too?
According to various Twitter users including Lembah Pantai MP Fahmi Fadzil, spam emails were sent to their inboxes via the donotreply@mysejahtera.org automated email address. The accompanying message in the email would typically read:
“You’ve tested positive for covid nahhh, joking. plenty of exploits to show twitter search “otp.”
The ‘OTP’ in the message alludes to the OTP requests that were earlier sent out to private numbers at random.
Yeah I got this too, as late as this morning
Also whole of yesterday@my_sejahtera pic.twitter.com/7PjYts2ExO
— Fahmi Fadzil 🇲🇾🏴 (@fahmi_fadzil) October 20, 2021
A separate email also claims that external parties have breached through the app’s security, enclosed with a photo of Rick Astley’ from the music video of his infamous single, ‘Never Gonna Give You Up’.
I’ve been getting (rickrolled) emails from @my_sejahtera since early Sunday morning, which means the exploit was known at least since then or around then. pic.twitter.com/JQZYCgrUNo
— Fahmi Fadzil 🇲🇾🏴 (@fahmi_fadzil) October 20, 2021
As of writing, the MySejahtera app development team has released a statement concerning the OTP messages, claiming that they had traced the source of the issue to ‘malicious scripts’ that were misappropriating the app’s QR check-in function. The team stresses that user data was not compromised as a result of these ‘malicious scripts’. However, no mention was yet made on the subject of the spam emails.
Security concerns surrounding MySejahtera
This has raised concerns among the public as to the safety and security of the app, which has grown to become an integral aspect of Malaysia’s COVID-19 response efforts.
Developed to improve contact-tracing efforts in Malaysia during the early stages of the COVID-19 pandemic, the MySejahtera app was formally introduced as a joint development between the National Security Council, the Health Ministry, the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), and the Malaysian Communications and Multimedia Commission (MCMC).
Allowing users to report on their whereabouts by ‘checking-in’ via location-based QR codes, the app’s functions have now been further enhanced to show one’s proof of vaccination, enabling self check-ups, while also displaying COVID-19 hotspots within the vicinity and providing crucial COVID-19 updates on a daily basis.
Use of the app is governed under the Prevention and Control of Infectious Diseases Act 1988 [Act 342]. Failure to check-in at any premise via the app may result in a compound.
The Ministry of Health has since released a statement assuring that all user-data remains secure with MySejahtera, and that the spam emails were sent out after the ‘Need Help’ feature on the application was misused. The ministry has also added increased levels of security in MySejahtera to prevent the incidents from taking place again, reports The Edge.
For more stories like this, follow us on Facebook!
Also read: Did you receive a mysterious OTP message from MySejahtera? Here’s why:
